Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 9+] China-Linked Espionage Group Exploits VMWare Vulnerability

Executive Summary

A China-linked cyber espionage group known as UNC3886 has been exploiting a critical vulnerability in VMware vCenter Server.

They have been exploiting the vulnerability, CVE-2023-34048, since late 2021. This situation raised concerns in the cybersecurity community.

VMware, the virtualisation services provider, recommends that users promptly update to the latest version to safeguard their systems against potential threats.

What Is Happening

Mandiant reported UNC3886 has been exploiting CVE-2023-34048, a critical vulnerability in VMware vCenter Server. This vulnerability allows malicious actors with network access to vCenter Server to execute an out-of-bounds write operation.

Once UNC3886 gains access to vCenter Server, they can achieve privileged access to the system.

Then, they proceed to enumerate all ESXi hosts and their associated guest virtual machines attached to the system.

The next phase involves obtaining “vpxuser” credentials for the hosts and connecting to them. This connection facilitates the installation of malware, including VIRTUALPITA and VIRTUALPIE, giving the attackers direct access to the hosts.

Ultimately, the attackers exploit another VMware flaw, CVE-2023-20867 (CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host.


UNC3886‘s cyber espionage campaign leveraging CVE-2023-34048 and other vulnerabilities has severe consequences, including:

  • Data Breach: Sensitive data within the virtualized environment may be compromised, risking proprietary information and customer data.
  • Operational Disruption: Manipulation of virtual infrastructure can lead to service disruptions and downtime, impacting business operations.
  • Persistent Access: Installed malware grants long-term access, enabling ongoing data theft and unauthorised activities.

CVE-2023-34048 is a critical vulnerability in VMware vCenter Server that allowed UNC3886 to gain privileged access to the system.

With a CVSS score of 9.8, it poses a significant threat. VMware addressed this vulnerability by releasing a fix on October 24, 2023. For more information about this vulnerability, please refer to our earlier news article.

The exploitation of this vulnerability as a zero-day had gone unnoticed for nearly two years.

On January 17th, VMware updated its security advisory and acknowledged the exploitation of the vulnerability.

About the Attackers

UNC3886 is a Chinese threat group known for exploiting zero-day vulnerabilities, especially targeting firewall and virtualisation platforms.

They focus primarily on entities in sectors such as defence, government, telecom, and technology, with a particular emphasis on the United States and the APJ region.

UNC3886‘s ability to operate undetected for an extended period underscores its expertise in avoiding traditional security measures.

Closing Comments

The UNC3886’s campaign emphasises the sophistication and persistence of state-sponsored threat actors.

Also, this campaign highlights the following issues:

  • The presence of undetected vulnerabilities emphasises the need for improved vulnerability management.
  • The existence of undetected exploits for two years highlights the challenges in detecting sophisticated incidents.

In summary, it underscores the importance of timely vulnerability management, robust security monitoring, and advanced detection capabilities to counteract such advanced threats.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.

Update Required Flash plugin